On Monday March 24th, Ellen Nakashima published a story in the Washington Post describing one of the most significant government security programs active today. She reported that White House official Lisa Monaco, deputy national security adviser for homeland security and counterterrorism, told industry executives that, in 2013, federal agents notified more than 3,000 U.S. companies that their computer systems had been hacked. Nakashima added that the Federal Bureau of Investigation performed approximately 2,000 of the notifications in person or by phone, relying on the nearly 1,000 agents available for cybersecurity investigations.
For several years I’ve publicly stated that I consider this external notification program to be one of the most effective cybersecurity tools offered by the federal government. According to statistics compiled from the consulting practice of security firm Mandiant, only one-third of intrusion victims detect breaches using their own resources. More frequently – two-thirds of the time – third parties tell organizations that they have fallen prey to computer intrusions. These findings mirror those reported by managed security firm Verizon, whose annual data breach survey reports a 70 percent external notification rate. The parties responsible for these breaches include professional nation-state operators, organized crime elements, and so-called “hacktivists” – e.g. those seeking to advance personal agendas.
The FBI, United States Secret Service, Air Force Office of Special Investigations, Navy Criminal Investigative Service, and other law enforcement and intelligence groups track significant intrusions and make best-effort attempts to warn enterprise-level organizations, not consumers. They support Section 4 of the president’s February 2013 Executive Order on Improving Critical Infrastructure Cybersecurity, which states, “It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.” However, the notification program has been operating since at least 2007, and likely a year or more before that, based on the author’s experience.
The notification process is a shock for every organization. Frequently an agent will approach the corporate security team of the victim company, authenticate himself or herself as a federal agent via credentials, then present copies of stolen data to the surprised employees. The agent will explain that an advanced persistent threat actor or serious financial crime group stole the data and that the notification is a call to action. The agents are generally not in a position to provide direct security or forensic assistance, but they will give limited indicators of compromise (“IOCs”) such as Internet Protocol (IP) addresses, domain names (e.g., www.example.com), and timeframes associated with the malicious activity. The agents have collected this data in the course of watching foreign threat groups hack thousands of victims per year.
Although those attentive to the computer security community have known about these notifications for several years, only this week has the scale of the program become public. The 3,000-plus company count is a crucial statistic because it represents clearly identified breach victims. It is not, in contrast, a count of “attacks,” which are reported in the popular press and by government officials as numbering in the millions per day or week. Such figures are generally worthless because there is no consensus definition for an attack, and anything approaching that order of magnitude likely represents mindless automatic scanning of the Internet. No serious security professional should seek to guide policy using such loose figures.
On the contrary, it is shocking to learn that federal officials told over 3,000 US companies in a single year that they were the victims of significant intrusions. Furthermore, this is a lower bound for the number of malicious events. Many of the 3,000 victims were likely hacked more than once in a calendar year. In Mandiant’s experience, several threat groups are often active within a single victim network. In some cases, Mandiant consultants have discovered up to seven independent threat groups roaming company networks at a time. The consultants have assessed these groups as acting separately due to their pattern of independently stealing the same resources, such as usernames and passwords. If the groups were collaborating, there would be no need to acquire the same information repeatedly; one group could steal and then share the proceeds with their collaborators. This is usually not the case.
There is a positive side to this astounding report. It involves the maturation process associated with learning that one’s organization is a breach victim. Sustained contact with the adversary is the best teacher. Once a company faces the truth that a determined digital foe has infiltrated the network, the work of implementing real security measures can begin. Companies can look to supplement their traditional security measures (anti-virus, firewalls, and the like) with advanced capabilities that instrument the network, collect logs, and sweep endpoints for indicators of compromise. A strategy of minimized loss through fast detection and response works best against persistent, resourced intruders.
The federal government should be praised for performing this notification work and for releasing the first statistics on its performance in 2013. These ground truth statistics are the best motivator to action one could hope to find in the digital security world. It would be better if organizations became more proactive, however, choosing to hunt for intruders on their own or with partners prior to any federal notification. The enterprise is only as secure as the measures taken to identify security lapses.